2 files changed, 214 insertions, 0 deletions
diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc
index fe87ac98ae..ddd6451ccc 100644
--- a/meta-oe/recipes-printing/cups/cups-filters.inc
+++ b/meta-oe/recipes-printing/cups/cups-filters.inc
@@ -12,6 +12,7 @@ DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat
 SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \
           file://CVE-2025-57812.patch \
           file://CVE-2025-64524.patch \
+           file://CVE-2023-24805.patch \
           "
 inherit autotools-brokensep gettext pkgconfig
diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch
new file mode 100644
index 0000000000..fd8ef7b806
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch
@@ -0,0 +1,213 @@
+From c90dcbd2887c1221a1c298c7a194b1d93ed0e501 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Wed, 17 May 2023 11:12:37 +0200
+Subject: [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x
+* beh backend: Use execv() instead of system() - CVE-2023-24805
+With execv() command line arguments are passed as separate strings and
+not the full command line in a single string. This prevents arbitrary
+command execution by escaping the quoting of the arguments in a job
+with forged job title.
+* beh backend: Extra checks against odd/forged input - CVE-2023-24805
+- Do not allow '/' in the scheme of the URI (= backend executable
+  name), to assure that only backends inside /usr/lib/cups/backend/
+  are used.
+- Pre-define scheme buffer to empty string, to be defined for case of
+  uri being NULL.
+- URI must have ':', to split off scheme, otherwise error.
+- Check return value of snprintf() to create call path for backend, to
+  error out on truncation of a too long scheme or on complete failure
+  due to a completely odd scheme.
+* beh backend: Further improvements - CVE-2023-24805
+- Use strncat() instead of strncpy() for getting scheme from URI, the latter
+  does not require setting terminating zero byte in case of truncation.
+- Also exclude "." or ".." as scheme, as directories are not valid CUPS
+  backends.
+- Do not use fprintf() in sigterm_handler(), to not interfere with a
+  fprintf() which could be running in the main process when
+  sigterm_handler() is triggered.
+- Use "static volatile int" for global variable job_canceled.
+CVE: CVE-2023-24805
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ backend/beh.c | 107 +++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 83 insertions(+), 24 deletions(-)
+diff --git a/backend/beh.c b/backend/beh.c
+index 225fd27..e864c22 100644
+--- a/backend/beh.c
+++ b/backend/beh.c
+@@ -22,12 +22,13 @@
+ #include "backend-private.h"
+ #include <cups/array.h>
+ #include <ctype.h>
+#include <sys/wait.h>
+ 
+ /*
+  * Local globals...
+  */
+ 
+-static int             job_canceled = 0; /* Set to 1 on SIGTERM */
+static volatile int    job_canceled = 0; /* Set to 1 on SIGTERM */
+ 
+ /*
+  * Local functions...
+@@ -213,20 +214,43 @@ call_backend(char *uri,                 /* I - URI of final destination */
+             char **argv,               /* I - Command-line arguments */
+             char *filename) {          /* I - File name of input data */
+   const char   *cups_serverbin;        /* Location of programs */
+  char         *backend_argv[8];       /* Arguments for called CUPS backend */
+   char         scheme[1024],           /* Scheme from URI */
+                 *ptr,                  /* Pointer into scheme */
+-               cmdline[65536];         /* Backend command line */
+-  int           retval;
+               backend_path[2048];     /* Backend path */
+  int          pid,
+               wait_pid,
+               wait_status,
+               retval = 0;
+  int          bytes;
+ 
+  /*
+   * Build the backend command line...
+   */
+ 
+-  strncpy(scheme, uri, sizeof(scheme) - 1);
+-  if (strlen(uri) > 1023)
+-    scheme[1023] = '\0';
+  scheme[0] = '\0';
+  strncat(scheme, uri, sizeof(scheme) - 1);
+   if ((ptr = strchr(scheme, ':')) != NULL)
+     *ptr = '\0';
+  else
+  {
+    fprintf(stderr,
+           "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n");
+    exit (CUPS_BACKEND_FAILED);
+  }
+  if (strchr(scheme, '/'))
+  {
+    fprintf(stderr,
+           "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
+    exit (CUPS_BACKEND_FAILED);
+  }
+  if (!strcmp(scheme, ".") || !strcmp(scheme, ".."))
+  {
+    fprintf(stderr,
+           "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
+           scheme);
+    exit (CUPS_BACKEND_FAILED);
+  }
+ 
+   if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+     cups_serverbin = CUPS_SERVERBIN;
+@@ -235,16 +259,26 @@ call_backend(char *uri,                 /* I - URI of final destination */
+     fprintf(stderr,
+            "ERROR: beh: Direct output into a file not supported.\n");
+     exit (CUPS_BACKEND_FAILED);
+-  } else
+-    snprintf(cmdline, sizeof(cmdline),
+-            "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
+-            cups_serverbin, scheme, argv[1], argv[2], argv[3],
+-            /* Apply number of copies only if beh was called with a
+-               file name and not with the print data in stdin, as
+-               backends should handle copies only if they are called
+-               with a file name */
+-            (argc == 6 ? "1" : argv[4]),
+-            argv[5], filename);
+  } 
+
+  backend_argv[0] = uri;
+  backend_argv[1] = argv[1];
+  backend_argv[2] = argv[2];
+  backend_argv[3] = argv[3];
+  backend_argv[4] = (argc == 6 ? "1" : argv[4]);
+  backend_argv[5] = argv[5];
+  backend_argv[6] = filename;
+  backend_argv[7] = NULL;
+
+  bytes = snprintf(backend_path, sizeof(backend_path),
+                  "%s/backend/%s", cups_serverbin, scheme);
+  if (bytes < 0 || bytes >= sizeof(backend_path))
+  {
+    fprintf(stderr,
+           "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n",
+           scheme);
+    exit (CUPS_BACKEND_FAILED);
+  }
+ 
+  /*
+   * Overwrite the device URI and run the actual backend...
+@@ -253,17 +287,40 @@ call_backend(char *uri,                 /* I - URI of final destination */
+   setenv("DEVICE_URI", uri, 1);
+ 
+   fprintf(stderr,
+-         "DEBUG: beh: Executing backend command line \"%s\"...\n",
+-         cmdline);
+         "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n",
+         backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
+         backend_argv[4], backend_argv[5],
+         (backend_argv[6] && backend_argv[6][0] ? " " : ""),
+         (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : ""));
+   fprintf(stderr,
+          "DEBUG: beh: Using device URI: %s\n",
+          uri);
+ 
+-  retval = system(cmdline) >> 8;
+  if ((pid = fork()) == 0)
+  {
+    retval = execv(backend_path, backend_argv);
+    if (retval == -1)
+      fprintf(stderr, "ERROR: Unable to execute backend: %s\n",
+             strerror(errno));
+    exit (CUPS_BACKEND_FAILED);
+  }
+  else if (pid < 0)
+  {
+    fprintf(stderr, "ERROR: Unable to fork for backend\n");
+    return (CUPS_BACKEND_FAILED);
+  }
+
+  while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
+ 
+-  if (retval == -1)
+-    fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
+-           strerror(errno));
+  if (wait_pid >= 0 && wait_status)
+  {
+    if (WIFEXITED(wait_status))
+      retval = WEXITSTATUS(wait_status);
+    else if (WTERMSIG(wait_status) != SIGTERM)
+      retval = WTERMSIG(wait_status);
+    else
+      retval = 0;
+  }
+ 
+   return (retval);
+ }
+@@ -277,8 +334,10 @@ static void
+ sigterm_handler(int sig) {             /* I - Signal number (unused) */
+   (void)sig;
+ 
+-  fprintf(stderr,
+-         "DEBUG: beh: Job canceled.\n");
+  const char * const msg = "DEBUG: beh: Job canceled.\n";
+  // The if() is to eliminate the return value and silence the warning
+  // about an unused return value.
+  if (write(2, msg, strlen(msg)));
+ 
+   if (job_canceled)
+     _exit(CUPS_BACKEND_OK);

diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index fe87ac98ae..ddd6451ccc 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc
@@ -12,6 +12,7 @@ DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat
12	SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \	12	SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \
13	file://CVE-2025-57812.patch \	13	file://CVE-2025-57812.patch \
14	file://CVE-2025-64524.patch \	14	file://CVE-2025-64524.patch \
		15	file://CVE-2023-24805.patch \
15	"	16	"
16		17
17	inherit autotools-brokensep gettext pkgconfig	18	inherit autotools-brokensep gettext pkgconfig


diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch new file mode 100644 index 0000000000..fd8ef7b806 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch
@@ -0,0 +1,213 @@
		1	From c90dcbd2887c1221a1c298c7a194b1d93ed0e501 Mon Sep 17 00:00:00 2001
		2	From: Till Kamppeter <till.kamppeter@gmail.com>
		3	Date: Wed, 17 May 2023 11:12:37 +0200
		4	Subject: [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x
		5
		6	* beh backend: Use execv() instead of system() - CVE-2023-24805
		7
		8	With execv() command line arguments are passed as separate strings and
		9	not the full command line in a single string. This prevents arbitrary
		10	command execution by escaping the quoting of the arguments in a job
		11	with forged job title.
		12
		13	* beh backend: Extra checks against odd/forged input - CVE-2023-24805
		14
		15	- Do not allow '/' in the scheme of the URI (= backend executable
		16	name), to assure that only backends inside /usr/lib/cups/backend/
		17	are used.
		18
		19	- Pre-define scheme buffer to empty string, to be defined for case of
		20	uri being NULL.
		21
		22	- URI must have ':', to split off scheme, otherwise error.
		23
		24	- Check return value of snprintf() to create call path for backend, to
		25	error out on truncation of a too long scheme or on complete failure
		26	due to a completely odd scheme.
		27
		28	* beh backend: Further improvements - CVE-2023-24805
		29
		30	- Use strncat() instead of strncpy() for getting scheme from URI, the latter
		31	does not require setting terminating zero byte in case of truncation.
		32
		33	- Also exclude "." or ".." as scheme, as directories are not valid CUPS
		34	backends.
		35
		36	- Do not use fprintf() in sigterm_handler(), to not interfere with a
		37	fprintf() which could be running in the main process when
		38	sigterm_handler() is triggered.
		39
		40	- Use "static volatile int" for global variable job_canceled.
		41
		42	CVE: CVE-2023-24805
		43	Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65]
		44	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		45	---
		46	backend/beh.c \| 107 +++++++++++++++++++++++++++++++++++++++-----------
		47	1 file changed, 83 insertions(+), 24 deletions(-)
		48
		49	diff --git a/backend/beh.c b/backend/beh.c
		50	index 225fd27..e864c22 100644
		51	--- a/backend/beh.c
		52	+++ b/backend/beh.c
		53	@@ -22,12 +22,13 @@
		54	#include "backend-private.h"
		55	#include <cups/array.h>
		56	#include <ctype.h>
		57	+#include <sys/wait.h>
		58
		59	/*
		60	* Local globals...
		61	*/
		62
		63	-static int job_canceled = 0; /* Set to 1 on SIGTERM */
		64	+static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */
		65
		66	/*
		67	* Local functions...
		68	@@ -213,20 +214,43 @@ call_backend(char uri, / I - URI of final destination */
		69	char *argv, / I - Command-line arguments */
		70	char filename) { / I - File name of input data */
		71	const char cups_serverbin; / Location of programs */
		72	+ char backend_argv[8]; / Arguments for called CUPS backend */
		73	char scheme[1024], /* Scheme from URI */
		74	ptr, / Pointer into scheme */
		75	- cmdline[65536]; /* Backend command line */
		76	- int retval;
		77	+ backend_path[2048]; /* Backend path */
		78	+ int pid,
		79	+ wait_pid,
		80	+ wait_status,
		81	+ retval = 0;
		82	+ int bytes;
		83
		84	/*
		85	* Build the backend command line...
		86	*/
		87
		88	- strncpy(scheme, uri, sizeof(scheme) - 1);
		89	- if (strlen(uri) > 1023)
		90	- scheme[1023] = '\0';
		91	+ scheme[0] = '\0';
		92	+ strncat(scheme, uri, sizeof(scheme) - 1);
		93	if ((ptr = strchr(scheme, ':')) != NULL)
		94	*ptr = '\0';
		95	+ else
		96	+ {
		97	+ fprintf(stderr,
		98	+ "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n");
		99	+ exit (CUPS_BACKEND_FAILED);
		100	+ }
		101	+ if (strchr(scheme, '/'))
		102	+ {
		103	+ fprintf(stderr,
		104	+ "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
		105	+ exit (CUPS_BACKEND_FAILED);
		106	+ }
		107	+ if (!strcmp(scheme, ".") \|\| !strcmp(scheme, ".."))
		108	+ {
		109	+ fprintf(stderr,
		110	+ "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
		111	+ scheme);
		112	+ exit (CUPS_BACKEND_FAILED);
		113	+ }
		114
		115	if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
		116	cups_serverbin = CUPS_SERVERBIN;
		117	@@ -235,16 +259,26 @@ call_backend(char uri, / I - URI of final destination */
		118	fprintf(stderr,
		119	"ERROR: beh: Direct output into a file not supported.\n");
		120	exit (CUPS_BACKEND_FAILED);
		121	- } else
		122	- snprintf(cmdline, sizeof(cmdline),
		123	- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
		124	- cups_serverbin, scheme, argv[1], argv[2], argv[3],
		125	- /* Apply number of copies only if beh was called with a
		126	- file name and not with the print data in stdin, as
		127	- backends should handle copies only if they are called
		128	- with a file name */
		129	- (argc == 6 ? "1" : argv[4]),
		130	- argv[5], filename);
		131	+ }
		132	+
		133	+ backend_argv[0] = uri;
		134	+ backend_argv[1] = argv[1];
		135	+ backend_argv[2] = argv[2];
		136	+ backend_argv[3] = argv[3];
		137	+ backend_argv[4] = (argc == 6 ? "1" : argv[4]);
		138	+ backend_argv[5] = argv[5];
		139	+ backend_argv[6] = filename;
		140	+ backend_argv[7] = NULL;
		141	+
		142	+ bytes = snprintf(backend_path, sizeof(backend_path),
		143	+ "%s/backend/%s", cups_serverbin, scheme);
		144	+ if (bytes < 0 \|\| bytes >= sizeof(backend_path))
		145	+ {
		146	+ fprintf(stderr,
		147	+ "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n",
		148	+ scheme);
		149	+ exit (CUPS_BACKEND_FAILED);
		150	+ }
		151
		152	/*
		153	* Overwrite the device URI and run the actual backend...
		154	@@ -253,17 +287,40 @@ call_backend(char uri, / I - URI of final destination */
		155	setenv("DEVICE_URI", uri, 1);
		156
		157	fprintf(stderr,
		158	- "DEBUG: beh: Executing backend command line \"%s\"...\n",
		159	- cmdline);
		160	+ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n",
		161	+ backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
		162	+ backend_argv[4], backend_argv[5],
		163	+ (backend_argv[6] && backend_argv[6][0] ? " " : ""),
		164	+ (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : ""));
		165	fprintf(stderr,
		166	"DEBUG: beh: Using device URI: %s\n",
		167	uri);
		168
		169	- retval = system(cmdline) >> 8;
		170	+ if ((pid = fork()) == 0)
		171	+ {
		172	+ retval = execv(backend_path, backend_argv);
		173	+ if (retval == -1)
		174	+ fprintf(stderr, "ERROR: Unable to execute backend: %s\n",
		175	+ strerror(errno));
		176	+ exit (CUPS_BACKEND_FAILED);
		177	+ }
		178	+ else if (pid < 0)
		179	+ {
		180	+ fprintf(stderr, "ERROR: Unable to fork for backend\n");
		181	+ return (CUPS_BACKEND_FAILED);
		182	+ }
		183	+
		184	+ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
		185
		186	- if (retval == -1)
		187	- fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
		188	- strerror(errno));
		189	+ if (wait_pid >= 0 && wait_status)
		190	+ {
		191	+ if (WIFEXITED(wait_status))
		192	+ retval = WEXITSTATUS(wait_status);
		193	+ else if (WTERMSIG(wait_status) != SIGTERM)
		194	+ retval = WTERMSIG(wait_status);
		195	+ else
		196	+ retval = 0;
		197	+ }
		198
		199	return (retval);
		200	}
		201	@@ -277,8 +334,10 @@ static void
		202	sigterm_handler(int sig) { /* I - Signal number (unused) */
		203	(void)sig;
		204
		205	- fprintf(stderr,
		206	- "DEBUG: beh: Job canceled.\n");
		207	+ const char * const msg = "DEBUG: beh: Job canceled.\n";
		208	+ // The if() is to eliminate the return value and silence the warning
		209	+ // about an unused return value.
		210	+ if (write(2, msg, strlen(msg)));
		211
		212	if (job_canceled)
		213	_exit(CUPS_BACKEND_OK);